[MTSRE-1280] ADO comply with "restricted" PSA enforcement (#383)

Ankit152 · web-flow · commit 232d05b8f157 · 2023-08-09T03:09:39.000-04:00
* chore: [mtsre-1280] ADO comply with restricted PSA enforcement

Signed-off-by: Ankit152 &lt;akurmi@redhat.com&gt;

* chore: updated user to 1001

Signed-off-by: Ankit152 &lt;akurmi@redhat.com&gt;

---------

Signed-off-by: Ankit152 &lt;akurmi@redhat.com&gt;
diff --git a/config/deploy/deployment.yaml.tpl b/config/deploy/deployment.yaml.tpl
@@ -38,6 +38,10 @@ spec:
           name: trusted-ca-bundle
           optional: true
         name: trusted-ca-bundle
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - name: metrics-relay-server
         image: quay.io/openshift/origin-kube-rbac-proxy:4.10.0
@@ -72,6 +76,11 @@ spec:
           requests:
             cpu: 100m
             memory: 30Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
       - name: manager
         image: quay.io/openshift/addon-operator:latest
         args:
@@ -99,3 +108,8 @@ spec:
           requests:
             cpu: 100m
             memory: 300Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
diff --git a/config/deploy/webhook/deployment.yaml.tpl b/config/deploy/webhook/deployment.yaml.tpl
@@ -42,6 +42,10 @@ spec:
           key: node-role.kubernetes.io/infra
         - effect: NoSchedule
           key: node-role.kubernetes.io/master
+      securityContext:
+        runAsNonRoot: true
+        seccompProfile:
+          type: RuntimeDefault
       containers:
       - name: webhook
         image: quay.io/openshift/addon-operator-webhook:latest
@@ -70,6 +74,11 @@ spec:
           requests:
             cpu: 100m
             memory: 30Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
       volumes:
       - name: tls
         secret:
diff --git a/config/docker/addon-operator-manager.Dockerfile b/config/docker/addon-operator-manager.Dockerfile
@@ -14,6 +14,6 @@ WORKDIR /
 
 COPY addon-operator-manager /usr/local/bin/
 
-USER "noroot"
+USER 1001
 
 ENTRYPOINT ["/usr/local/bin/addon-operator-manager"]
diff --git a/config/docker/addon-operator-webhook.Dockerfile b/config/docker/addon-operator-webhook.Dockerfile
@@ -14,6 +14,6 @@ WORKDIR /
 
 COPY addon-operator-webhook /usr/local/bin/
 
-USER "noroot"
+USER 1001
 
 ENTRYPOINT ["/usr/local/bin/addon-operator-webhook"]
diff --git a/config/docker/api-mock.Dockerfile b/config/docker/api-mock.Dockerfile
@@ -14,6 +14,6 @@ WORKDIR /
 
 COPY api-mock /usr/local/bin/
 
-USER "noroot"
+USER 1001
 
 ENTRYPOINT ["/usr/local/bin/api-mock"]
diff --git a/config/docker/prometheus-remote-storage-mock.Dockerfile b/config/docker/prometheus-remote-storage-mock.Dockerfile
@@ -14,6 +14,6 @@ WORKDIR /
 
 COPY prometheus-remote-storage-mock /usr/local/bin/
 
-USER "noroot"
+USER 1001
 
 ENTRYPOINT ["/usr/local/bin/prometheus-remote-storage-mock"]
